Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Remote Access Detection Report

by Stephanie Dunn
November 9, 2016

Many organizations today utilize remote access services and applications to remotely connect to internal systems within a network. Without continuous monitoring, these services can be exploited and leave critical data at risk. This report presents a high-level overview of known remote access vulnerabilities from products such as Cisco AnyConnect, Citrix GoToAssist, Microsoft Remote Desktop, and RealVNC.

The content in this report leverages all collection methods from Tenable SecurityCenter Continuous View (CV). By using Tenable Nessus and the Tenable Passive Vulnerability Scanner (PVS), the components are able to identify systems capable of remote access. Nessus looks for installed software, browser plugins, and other artifacts pointing to desktop control software to identify systems with remote access capabilities. PVS passively monitors network traffic to identify vulnerabilities and perform host, application, and operating system discovery using advanced packet analysis. 

This report uses the Common Platform Enumeration (CPE) filter to identify many of the software programs used in enterprise networks. According to NIST, the CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. Tenable assigns CPEs to plugins where appropriate. This allows for analysts to search for common CPE prefixes such as “cpe:/a:cisco:vpn,” “cpe:/a:citrix:gotoassist,” and “cpe:/a:realvnc.” Associating CPE strings with vulnerabilities allows the analysts to separate operating system vulnerabilities from application vulnerabilities, and adds to the level of vulnerability detail provided to the organization.

The Tenable Log Correlation Engine (LCE) is used to log PVS events and track other remote access related events. LCE also provides the ability to monitor NetFlow information by either collecting NetFlow flows using the Tenable NetFlow Monitor or by using the Tenable Network Monitor Agent. The Network Monitor Agent works similar to a NetFlow collector, but stores the records in a LCE-friendly method. An additional benefit of the Network Monitor Agent is that any syslog messages captured will also be forwarded to LCE for analysis. The NetFlow and Network Monitor Agent can detect traffic patterns, which can then be identified as interesting. Remote access activity leverages the destination port filter, which shows common ports used for remote access. Security teams can use this information to identify malicious activity, along with any potential false positives. Additionally, this data can be useful in understanding and mitigating potential threat vectors, and securing remote access solutions within the organization.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.8.1
  • PVS 5.1.0
  • LCE 4.8.0
  • Tenable NetFlow Monitor
  • Tenable Network Monitor

Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect the organization. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Active scanning examines running processes and services, including remote access services, and detects vulnerable software applications, configuration settings, and additional vulnerabilities. Monitoring the network to ensure that all systems are secured against vulnerabilities is essential to ongoing security efforts. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable’s customers range from Fortune Global 500 companies, to the Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.

The following chapters are included within this report:

  • Executive Summary: The Executive Summary chapter provides a high-level overview of remote access related vulnerabilities that have been detected on the network. Vulnerabilities are tracked by severity, applications, and protocols in order to provide a complete look at remote access solutions that may be at risk. These services help to protect critical services and infrastructure within an organization, and help to detect and prevent unauthorized users and devices from connecting to internal resources. Using the elements within this report, analysts will be able to quickly identify, remediate, and reduce overall security risks.
  • Remote Access Vulnerabilities: The Remote Access Vulnerabilities chapter provides insight into vulnerabilities detected from remote access solutions within the network. Each element will alert on specific remote access vulnerabilities that have been detected, along with a detailed vulnerability summary. Each table presents the latest information on relevant vulnerabilities, including plugin, name, family, severity, and total count of vulnerabilities detected. Data presented within this chapter can be modified to include specific CPE filters, additional host information, and additional details on the detected vulnerability.